This container image includes UBI version 9 which contains the following packages:
- OpenSSL: with FIPS 140-2 compliant OpenSSL module from RedHat UBI 9. Please note for this image FIPS module is disabled by default. On how to toggle on/off, please refer to Toggle FIPS mode on/off.
- Ruby: compiled against the FIPS 140-2 compliant OpenSSL module.
- Postgres client: linked against the FIPS 140-2 compliant OpenSSL module.
- Bundler.
The exact versions of packages mentioned above can be found in Description.md.
The builder image should not be used as the eventual application image. It should be solely used to build an actual application image.
FIPS module is disabled in ubi-ruby-builder image to take advantage of
dependency download optimization bundler utilizes.
Bundler uses MD5 Hash Algorithm which is not FIPS compliant, hence no optimization can be applied on images with FIPS module enabled. This have a negative toll on the dependencies download speed.
- Current directory is the directory where this repository is cloned
- Docker version is
24or higher
| Image name | Description |
|---|---|
| ubi-ruby-builder | Ruby image with building tools |
| ubi-ruby-fips | Final image |
| ubi-ruby-fips-slim | Lightweight final image |
To build the images execute:
./ubi-ruby-fips/build.sh
Due to the fact fipsinstall command is disabled on the container level in UBI9 image
(through patched OpenSSL source), it is not possible to control the FIPS mode through
openssl fipsinstall command.
This posed a failures on OpenShift tests.
In order to allow the tests to pass, a fips mode configuration file was introduced, which then is read in fips_init@14 during initialization of the container.
The parameter OPENSSL_CONF=/etc/pki/tls/openssl_fips.cnf controls the toggling of the
FIPS mode.
For additional information, please refer to official OpenSSL documentation.